How Do Viruses Spread?

All the advice you've ever heard about how to avoid getting infected by a computer virus may be wrong. Well, at least some of it... A new study sheds light on how viruses and other malware are most commonly spread in today's Internet environment. Read on for details...

Where Are Viruses Lurking on the Web?

The 2013 Cisco Annual Security Report includes some disturbing data about how malware (viruses, spyware and other nasties) infects millions of computers each year.

The surprising conclusion of the Cisco study is this: All of the advice you’ve received about sticking with known, trusted Web sites seems to be wrong. In fact, the more legitimate a site is, the more likely you are to catch a malware infection from it.

The report found that the vast majority of malware comes from mainstream sites visited by mass audiences, not from shady sites that relatively few people visit. E-commerce sites are 21 times more likely to deliver malware than counterfeit software sites, for example. Viewing an online advertisement, you are 182 times more likely to be served malware than you are when viewing p**n.

Cisco looked at some major online applications and the percentage of total malware exposure found on each type:

Search Engines: 36%

Online Video: 22%

Social Networks: 20%

Advertisements: 13%

Other: 9%

Obviously, legitimate sites such as Google, Bing, Youtube and Facebook are not trying to give you malware. But malware distributors strive to inject malware into the most popular sites, and the ones that people trust the most. You may be wary of clicking a link on a gambling site if you are not sure what it does, but you might not hesitate to click it while visiting your favorite search engine, online shopping or social media website.

Hackers are constantly looking for vulnerabilities in the software that powers websites. Sloppy coding practices may open the door for "SQL injection attacks," and "buffer overruns." Poor security and weak passwords may allow breaches where malicious code can be planted.

When Malware Attacks...

Once malware infects your computer, it can use your system’s resources to spread itself even further. Malware may access your contacts lists and send phishing links via email to friends and family. It may re-direct browser requests for legitimate websites to rogue sites. Unknown to you, one malware program may download and install others. Malware may copy itself to a networked computer, USB drive or other removable media that you insert into your computer. Email attachments, removable media, free software containing Trojan Horses, and file-sharing on home or office networks still play roles. It’s as important as ever to keep your anti-malware program up to date and practice safe computing habits.

Web exploits are by far the biggest malware vector online. On the plus side, email spam is down 18% worldwide. Mobile malware accounted for only 0.5% of malware exposures in Cisco's Security Report, although Android malware instances increased over 2500% in 2012. (Take that number with a grain of salt, though. A large chunk of the Android malware problem comes from sketchy third-party app markets. See Do You Need Mobile Security Protection? for some additional advice.)

The moral of this story is: keep your guard up no matter where you are online. Don’t ignore the warnings of your anti-malware program just because you’re visiting a site that’s familiar and trusted. It’s entirely possible that site has been infected with malware since your last visit. And remember that you don't have to shell out big bucks for good computer security. See my article Free AntiVirus Programs for a list of free alternatives to Norton, McAfee and other commercial antivirus software.

Have you ever gotten a computer virus from a "good neighborhood" while browsing the Web? What's your strategy for staying safe online?

Most recent comments on "How Do Viruses Spread?"

Posted by:
MmeMoxie
14 Mar 2013

I am very cautious about protecting my desktop computer and Android Smartphone. Yet, every once in awhile, I do get a virus. I know, it has come from browsing the web and it is the "nature of the beast", in today's Internet. Thankfully, I've got a good Anti-Virus protection, that "catches" the virus, so I can take care of business.

Since, I have an Android Smartphone, I prefer to protect it, as well. So far, I have not gotten a virus, on my wireless phone. As you said, there may not be that much of a need, right now. However, knowing the history of hackers/crackers, I want my Smartphone protected. It's called taking action, before any damage can be done. :)

Must mention, I am using the FREE version of avast! on both my computer and Smartphone. I am very pleased with the avast! FREE version. It just works, for my needs, which consists of emails, going to Facebook, doing family financial business and browsing the Internet, for some personal research. I am not a heavy business or an Internet user, so, the FREE version of avast!, suits my needs.

Posted by:
East Slope Charlie
14 Mar 2013

QUESTION FOR BOB: AT&T 'advanced tech support' told me that I should NEVER have more than ONE anti-spy (mal)ware program on my computer at one time. I said,: "No, you can't RUN more than one program at a time. You can have any number as long as they aren't running at the same time." He was adamant, and started to remove MBAM despite my protestations.

It seems (to me) that you MUST have more than one program to check for false positives or false negatives since there's only really only one way to tell. So-- Doc, what's the skivvy on more than one anti-malware PROGRAM if you only run one at a time?

EDITOR'S NOTE: The tech is flat wrong. You should only have one active (real-time) anti-malware tool. But you can have any number of on-demand scanners, such as MBAM.

Posted by:
East Slope Charlie
14 Mar 2013

I generally run one of several free antimalware programs each day as I shut down. If I find an infection my plan is to run a second program to double check to see if I got a false positive.

Generally I'll manually run say, MBAM, then have AVG auto-run in the middle of the night since I run a Distributed Grid Computing Program (World Community Grid), then the next day I might run Avast! In the evening, and the next day run BitDefender (with AVG running every night while I sleep). All the programs are free. So in a week I cycle through several programs each of which will run a different algorithm to do the ‘full scan’. In 20+ years of computing I’ve gotten ONE virus, by clicking inside an e-mail (and, yes, I DID dope-slap myself), curiosity did kill this cat for a bit.

Posted by:
Tom Van Dam
14 Mar 2013

First, I enjoyed your article, it made a lot of sense. I was surprised by your statement that spamming of emails has gone down. At the small business where I work (13 email accounts) we are getting a rash of emails that appear to be legit but are not. We get emails from the BBB (Better Business Bureau) stating that they have received a complaint against us, UPS stating they have a delivery they couldn't make and a Direct Deposit that didn't make it. Of course all of these have attachments which shouldn't be used. My point is we get these every day.

Posted by:
Sebastian V.
14 Mar 2013

I used Google to find a telephone number for a grocery wharehouse chain here in California. I opened the page and got the phone number and was also treated with 'Malware Doctor' installed on my desktop and taskbar. I finally was able to rid my computer of the beast after a system restore. Just a note to keep your restore points current.

Posted by:
Stanley Piotrowicz
15 Mar 2013

Today, 3/14/13, I got a call from a person with an Asian accent who claimed to be calling from microsoft. He said they monitored activity on my computer that left malware on my hard drive. I asked specifically what the malware was named. He said for me to turn on my computer, press the Microsoft symbol key & R. On the pop up that this brought I was to type in EVENTVWR & it would show me the malware. Being a cagey 86 yr old coot & before I did this, I asked him for proof he was really calling from Microsoft. He abruptly hung up. I don't know if you have heard about this apparent con but if not you can help spread the word. Continued success to your enterprise.

Posted by:
KatieA
15 Mar 2013

We did end up getting a Trojan by opening up an infected e-mail that contained an infected link/Trojan.

The e-mail was sent to us by one of our friends, so we never thought that there would have been a problem with it.

I didn't realize at the time either, that our anti-virus program wasn't keeping up with its updates on our computer either, so that didn't help things.

Luckily, Malwarebytes found the Trojan and quarantined it and I was able to get rid of it.

Posted by:
Nina
24 Mar 2013

"Obviously, legitimate sites such as Google, Bing, Youtube and Facebook are not trying to give you malware".

Sorry to burst your bubble but an example of Google's couldn't-care-less attitude goes back to the time that Ad-Aware was a good defence against adware. If you Googled Ad-Aware, guess what came out top of the page? AdWare. Not Ad-Aware with the extra "A". The one that came out top was a rogue program that invaded computers with pop-ups that warned that your computer was infected but for a price they could "clean" it. Needless to say, pay up and nothing happened.

Good old Google!

Posted by:
jeff m
27 Mar 2013

Get a custom host file protection like "MVPS", Which basically blocks you from accessing a lot of the websights adds that are bad for you. If there is a link off to the side, or at the top of google that i want to visit. I'll type it into google directly, and go directly to there web page, thus bypassing the add link. I also have been using Microsoft security essentials/ windows defender, and blocking all images initially in my hotmail/ windows live email account. I usually don't ever enable the images, and normally just go directly to the websight through google. I haven't had any issues in quite a while with viruses or malware. I highly suggest using mbps custom host file.

Post your Comments, Questions or Suggestions

* Name:
* Email:
(* = Required field)

(Your email address will not be published)

Comments: (you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.